Reverse Engineering Lottery Scratch Tickets For Profit (But Not Fame)

from the scratch-and-sniff dept

Jonah Lehrer has a fantastically entertaining article in Wired about cracking scratch card lottery tickets. It kicks off with a story about Mohan Srivastava, a statistician in Toronto who quickly realized that the scratch tickets couldn't actually be random, even if they try to give off that impression. Since the lotteries want to control how often people win, the numbers have be chosen by a careful algorithm -- and if that's the case, there's almost always ways to reverse engineer the algorithm. With the first game he tried it on, Srivastava was able to increase his odds to the point that he could pick a "winning" card 90% of the time. He ended up alerting the Ontario Lottery and Gaming Corporation -- though, he admits that he did so not for moral reasons, but because he quickly calculated that he probably wouldn't make that much money just by gaming the system:

His next thought was utterly predictable: "I remember thinking, I'm gonna be rich! I'm gonna plunder the lottery!" he says. However, these grandiose dreams soon gave way to more practical concerns. "Once I worked out how much money I could make if this was my full-time job, I got a lot less excited," Srivastava says. "I'd have to travel from store to store and spend 45 seconds cracking each card. I estimated that I could expect to make about $600 a day. That's not bad. But to be honest, I make more as a consultant, and I find consulting to be a lot more interesting than scratch lottery tickets."

Instead of secretly plundering the game, he decided to go to the Ontario Lottery and Gaming Corporation. Srivastava thought its top officials might want to know about his discovery. Who knows, maybe they'd even hire him to give them statistical advice. "People often assume that I must be some extremely moral person because I didn't take advantage of the lottery," he says. "I can assure you that that's not the case. I'd simply done the math and concluded that beating the game wasn't worth my time."

At first the Ontario Lottery ignored him. Apparently, lots of crackpots claim to have beaten the lottery, but haven't. So, instead, he sent a guy on the Ontario Lottery security team a package of unscratched cards, and sorted them into piles he thought were winners and losers. Apparently, he was pretty accurate, because they called him quickly after that and then pulled the game.

Of course, as often happens in these situations, the Lottery insisted that this was just a one-off error, and the rest of their games were secure. Srivastava correctly noted that was unlikely, as the chances that the ticket he'd randomly been given was the only one with a flaw seemed remote. And, even if he didn't think it was worth his time to game the system, that's not true for others. In fact, Srivastava notes that there are ways to profitably game the system:

I then ask Srivastava how a criminal organization might plunder the lottery. He lays out a surprisingly practical plan for what he would do: "At first glance, the whole problem with plundering is one of scale," he says. "I probably couldn't sort enough tickets while standing at the counter of the mini-mart. So I'd probably want to invent some sort of scanning device that could quickly sort the tickets for me." Of course, Srivastava might look a little suspicious if he started bringing a scanner and his laptop into corner stores. But that may not be an insurmountable problem. "Lots of people buy lottery tickets in bulk to give away as prizes for contests," he says. He asked several Toronto retailers if they would object to him buying tickets and then exchanging the unused, unscratched tickets. "Everybody said that would be totally fine. Nobody was even a tiny bit suspicious," he says. "Why not? Because they all assumed the games are unbreakable. So what I would try to do is buy up lots of tickets, run them through my scanning machine, and then try to return the unscratched losers. Of course, you could also just find a retailer willing to cooperate or take a bribe. That might be easier." The scam would involve getting access to opened but unsold books of tickets. A potential plunderer would need to sort through these tickets and selectively pick the winners. The losers would be sold to unwitting customers--or returned to the lottery after the game was taken off the market.

Lehrer then goes on to point out that there is statistical evidence that, at the very least, suggests that some gaming of the system has been done in various places.

Consider a series of reports by the Massachusetts state auditor. The reports describe a long list of troubling findings, such as the fact that one person cashed in 1,588 winning tickets between 2002 and 2004 for a grand total of $2.84 million. (The report does not provide the name of the lucky winner.) A 1999 audit found that another person cashed in 149 tickets worth $237,000, while the top 10 multiple-prize winners had won 842 times for a total of $1.8 million. Since only six out of every 100,000 tickets yield a prize between $1,000 and $5,000, the auditor dryly observed that these "fortunate" players would have needed to buy "hundreds of thousands to millions of tickets." (The report also noted that the auditor's team found that full and partial ticket books were being abandoned at lottery headquarters in plastic bags.)

Then there's the example of a woman in Texas, Joan Ginther, who has apparently won more than $1 million from the Texas lottery four separate times. There are also some indications that organized crime groups have regularly used such lottery tickets as a way to launder money -- and if they can crack the code, that makes the laundering process a lot more profitable.

Finally, the article notes that the Lottery industry around the world seems to more or less be in denial about the whole thing, frequently insisting that the new games are perfectly secure, and not even being all that aware of previous cracks and problems. The whole thing is well worth reading.

Reader Comments

Usually these things are an error. Most scratch lotteries do not reveal serial numbers or other identification in the open, they are usually covered by the "scratch coat" as well. If that scratch coat is already removed, the ticket isn't valid for redemption.

If they put an identifiable number or code in an open place, it's an error.

Re: Re:

Look at the pictures of the cards. The left side that says "your numbers" can be covered completely with latex. Problem solved, unless someone invents a way to see through the latex without scratching it off.

Re: Re: Re:

No, the left side is covered with latex when you buy it.

The flaw is that in order to add predictability, the designers probably removed too much randomness by trading off randomness for predictability and fast generation time. Apparently a pattern came out and the researcher guessed it.

It may very well be possible to reveal 72 numbers without revealing any pattern. No one can know for sure if that is true without a good mathematical analysis; however, even if it is possible to create such cards without patterns, it might not be feasible to create them economically or even to have the algorithms finish running during our lifetimes. This means that in practice the designers will take short-cuts (just like game designers take short-cuts in designing 3D games so that they perform well in real-time). It is in these short-cuts that likely patterns snuck in.

Re: Re: Re: Re:

I think what AC meant was that if you also covered 'right' side in latex and made people scratch those off before buying, then you can't predict the game in the manner described because you don't know the frequency of occurrences on the right side.

Re: Re:

If the numbers on each "card" were covered, he would not be able to make such a choice ahead of time. By leaving all the numbers exposed, they showed a large part of the game play.

If 8 of the 9 squares on each were covered (needed to be scratched before use), his method would not apply.

Basically, they put too much information out there. Usually it's an error in exposing a serial number (as you can see the serial numbers are exposed on the bottom), but in this case, it was just exposing too much of the card to the public before they buy it.

Re: Re: Re:

Basically, they put too much information out there. Usually it's an error in exposing a serial number (as you can see the serial numbers are exposed on the bottom), but in this case, it was just exposing too much of the card to the public before they buy it.
If you read the article you would discover that there is a reason why they expose too much information. It is marketing. The public prefers cards with some exposed information. There is no problem with exposing information if you do it right. However for some reason these companies don't bother. It may be because the companies are lazy but it is more likely to be a compromise between security and making the game attractive to play. From the companies point of view it doesn't really matter if a few individuals game the system - all they are doing is taking a little more money from the other players (who are onto a loser anyway). The companies control exactly how many winning tickets are printed so it doesn't affect their finances directly at all.

I agree with Richard

By exposing some of the information (numbers), the marks (the poor losers) think they have a chance of winning. They are involved in the process.

Having the word LOSER (or similar) covered in latex, ends the experience a lot faster, and thus there is not enough fantasy (read: addiction) involved.

My sister buys 20 lottery tickets a week; she says it's fun (thrilling) to get near-misses because it makes her heart race. Oh sure, she's one $600 - $900 before, but after several months worth of buying tickets at a cost of $1 to $2 each. [Do the math] Break Even.

In conclusion, it's a scam. The lottery is stacked against the player.

Re: Re: Re:

really? its a tic tac toe game, as in, there are numbers, visible, on a tic tac toe board. then you get call numbers, which are hidden until scratched. he uses the visible numbers on the tic tac toe board to crack them.

Re: Re:

I doubt they label most cards publicly starting from 1.

It's rather easy to attach a random numerical id to each ticket so that only those with the central computer mapping can know if the tic-tac-toe or other game pieces on that physical card with a given id matches what corresponds to that id on the central computer.

Re: Re: Re:

t's rather easy to attach a random numerical id to each ticket so that only those with the central computer mapping can know if the tic-tac-toe or other game pieces on that physical card with a given id matches what corresponds to that id on the central computer.

Re:

I have not read the article I am about to discuss. That will not, however, stop me from firing up the comment sheet and tossing out some unfounded assertions that have nothing to do with the story in question. As a member of the general internet populace, I see no problem with this.

Re: Re:

Re: Re: Re:

How dare you point out my stupidity! Being a part of the teeming masses of the ignorant, anonymous internet horde, I am justifiably outraged at your characterization of my useless posting habits. You have left me no option but to attempt a lame insult, thereby also announcing my intention to fail to learn from my mistakes, and to take absolutely no action to correct my glaring intellectual shortcomings.

Re:

Things may have changed in the ~10 years since I worked as a clerk, but I doubt it. Scratch offs had a bar code on the back that was used to redeem the tickets. Even though that barcode was unique to each ticket and psuedo-random, it would not be impossible to crack.

The key to beating any gambling game is not to win all the time (that just generates attention), but more than your 'fair' share.

Arrested

"People often assume that I must be some extremely moral person because I didn't take advantage of the lottery,"

He could be extremely short-sighted. This particular game might not have been worth his while, but another game with higher payouts and a similar flaw might have been in the future.

But what I don't get is how you're supposed to be able to examine scratchoff tickets to figure out which ones would pay off. They're usually behind the counter in big rolls and I don't think they'd let you go through them all looking for a winner.

Re:

Usually you can see the sequential number of at least one ticket for that pack. Depending on the how the dispenser is set up this is either the next to be sold or has one or two to be sold before it.

Knowing this you can have a general idea where in the sequence of that pack. When I worked at a convenience store in high school the more frequent players would pick up on patterns and wouldn't buy cards in certain ranges. I'm pretty sure these players weren't using math to determine this (cause they could easily do the math and realize they were spending more then they were winning) but rather by noticing trends.

As for the original article, I can't imagine anyone would accept the return of lottery tickets after a sale especially out of order.

He doesn't use anything about the numbering of the tickets. He doesn't use any other identifying information. He uses the MECHANIC of the ticket and information that you can glean from MECHANIC. The mechanic of the game was such that any time numbers appeared a single time on a card and that those singles appeared in a row/column, the card was substantially more likely to be a winner than not.

Re:

Yes, and the lottery company made a mistake by revealing too much information "pre-buy". If those boxes had 8 of 9 numbers covered, exposing only the center on each card, it wouldn't have changed anything, but would have revealed less.

By putting that much information out there (72 numbers, and 64 combinations) they provided way too much information, more than enough for people to be able to determine patterns.

Yes, it is ALSO a failing in their methods for encoding the cards, but the real error was in giving the buyer too much information before purchase.

Re: Re:

but the real error was in giving the buyer too much information before purchase.

It wasn't an error.

Cards with more information sell better - and neither the lottery company nor the store loses from people gaming the system. From the company's point of view the extra sales are a win - and the losses from people gaming the system are born by someone else. (The other players - who are basically paying a stupidity task anyway.)

So from the companies point of view this is all fine provided it doesn't get too much media attention.

I thought they were 'real' random.

You start your article with the claim that a statistician realized the random numbers were not really random, but generated by an algorithm. I have also been thinking about this and came to the conclusioon that the smartest thing one could was to use http://random.org/, which samples noise and generates random numbers like that. Then it becomes much more difficulty to track/seed the sequence of pseudorandom numbers.

Re: I thought they were 'real' random.

The algorithm they're using isn't failing at creating random numbers, as all computers do, it's succeeding at creating the illusion of random numbers.

They cannot use a truly random number generator because they must control how many win and how many lose. If they used one then they can output tickets that win more money then lost. There's also the chance that none of the tickets win and everyone gets pissed off and you don't sell any more. They must create a happy medium to keep people coming back.

That's where the problem lies. Any computer controlled random number generator can be cracked. There is a pattern even if we don't see it. That's what this guy did, he cracked the pattern. And from the statistics posted here, it seems others may have in the US as well.

Re: Re: I thought they were 'real' random.

>> Any computer controlled random number generator can be cracked. There is a pattern even if we don't see it.

To clarify, the problem was not in generating pseudo-random numbers. The generators can be made to be very good. The problem was in the higher level rules used to generate the game pieces. Having perfectly random numbers to work with would not have saved the day because the flaw was in not using the random stream of numbers sufficiently.

An example of a high level rule that stinks is: pick the upper row on the first board to win for all the winning tickets. Also, make sure these numbers are 1,2, and 3 (and of course appear within the 24 hidden ones). Note that no randomness was used here.

Now, even if you do everything else right (other numbers look random, you have exactly the number of winners you want, etc), at some point quickly "someone" is going to realize that all the winning tickets have exactly 1 2 3 on the very top of the first tic-tac-toe game.

This is a major flaw that is trivially exploitable once you see the (obvious) pattern. The pattern would be suggest to probably almost anyone by merely looking carefully at 2 winning cards side by side.

Note, how this major flaw had nothing to do with the PRNG. It was a flaw in the compromise the designers struck between using PRNG on the one hand and making non-random decisions on the other (in their attempt to create predictability of total winnings).

That is what happened with the 2003 tic-tac-toe. The flaw was not that obvious, but it was a design flaw of the game generation algorithm and not a PRNG flaw.

Re: Re: I thought they were 'real' random.

What a heap of bullocks. I have 1'000'000'000 tickets printed and I need 50 winners. I thus need only 50 random numbers between 1 and 1'000'000'000. If they are created based on thermal noise there is very little you can do to predict those 50 numbers.

Clearly they didn't use such an algorithm but that is not because the technology exists but rather stupidity from their side.

Nice twist ;0

Re: Nice twist ;0

That one's easy: "No."

And yes, I've watched the show a few times. Enough to know that they're making it up as they go along. Nobody on earth is as expert as that curly-haired dweed is. Pick any three shows, and nobody is as expert in those 3 fields as he is, much less all of them.

Lottery

I agree with the Lehrer article in Wired. Fascinating.
If this type of thing interests you, I'd recommend a novel
by David Baldacci called "The Winner", which describes an interesting ploy to produce winning numbers. Good read!

What if you could scan your lottery ticket into your mobile phone?!
We'll you can using the Lott Alert mobile app.
Scan it, store it, and set the alert system to let you know when you win, didn't win. It can alert you to the next drawing and jackpot amounts. You can even get an Alert when the Powerball or Mega Millions goes over super large amounts.
visit lottoAlert.me for more information.
Lotto Alert is an App for your iPhone, iPad or Android phone to store your Lottery ticket and provide alerts when you win and remind you of drawings before it's too late.

texas lottery

Hello
A lottery is a form of gambling which involves the drawing of lots for a prize.Lottery is outlawed by some governments, while others endorse it to the extent of organizing a national or state lottery. It is common to find some degree of regulation of lottery by governments. At the beginning of the 20th century, most forms of gambling, including lotteries and sweepstakes, were illegal in many countries, including the U.S.A. and most of Europe.

Reverse Engineering gag

Where I formerly worked (a mfg.co.) we had barcode scanners to produce and read our labels. One day I heard a co-worker approaching, I grabbed some scratch off lottery tickets and scanned the bar code. The reader beeped and displayed a number on the screen. She took one look and said "What are you up to?" I said "Nothing". "I want to know exactly what you are doing or I'll have you reported to the police" Needless to say, she looked pretty dumb with her accusations. She wanted a piece of the alledged action.

Re:Tarded

I realize this is a 3 year old article (if you can call it an article.) But.. all you have done is use an entire page to summarize another article on another website.. and then suggest that "its a worthwhile read." To which I say, I already fuŠking read it, and was looking for more information on the topic, learn to fuŠking stop failing at succeeding at creating, d0uchebag